Countdown to DORA: Five Key Steps to Avoid Penalties Come January 2025


Given the complexity and interconnected nature of the financial services ecosystem, it’s hardly surprising that operational resilience remains under regulatory scrutiny and review. The consequences of isolated or systemic disruption to services, particularly due to cyberattacks, could be catastrophic, and authorities are quite rightly focused on both prevention and mitigation.

One of the consequences of these challenges is that from January 17th of next year, the EU’s Digital Operational Resilience Act (DORA) will come into force. Oversight activities begin and there are harsh financial penalties for non-compliance. The objective behind DORA is to strengthen “the IT security of financial entities such as banks, insurance companies and investment firms and making sure that the financial sector in Europe is able to stay resilient in the event of a severe operational disruption.”

On a practical level, it will harmonise the operational resilience rules across 20 different types of financial entities and ICT third-party service providers. These include the likes of credit and payment institutions, investment firms, crypto-asset services providers, organisations in the insurance and retirement sectors, and even crowdfunding services, among others.

The regulations require organisations to focus on a range of key areas. These range from ICT risk management (including third-party providers), digital operational resilience testing and incident reporting, to information sharing and the implementation of an oversight framework for critical third-party ICT providers. As such, they have the potential to have far-reaching consequences for financial entities and ICT providers who operate without the proper processes or controls in place.

As an EU law, DORA will not apply directly in the UK, but – in a similar way to GDPR – it is relevant to many UK-based financial entities or ICT providers that supply services to organisations in the EU. They need to abide by its rules, with violations potentially leading to penalties of up to 2% of total worldwide annual revenue, depending on the severity of each case. If GDPR enforcement is anything to go by, EU regulators are fully focused on the rules, with over €4 billion levied on organisations in breach of GDPR since 2018.

Planning for compliance

So, less than a year out from oversight activities commencing, what steps can organisations take to ensure they are compliant? There are five useful foundational points:

  • Form cross-department teams to coordinate an organisational approach: Collaborate across departments like IT, cybersecurity, compliance, risk, and legal to develop a comprehensive understanding of DORA’s implications.
  • Secure leadership buy-in: Ensure senior management understands and supports DORA’s importance, which can influence resource allocation and urgency in compliance efforts.
  • Assess current processes and vulnerabilities: Identify gaps between existing security measures and DORA requirements to proactively address weaknesses.
  • Update resilience objectives: Establish clear and actionable objectives aligned with DORA, allowing for prioritisation of compliance activities and investment.
  • Monitor regulatory updates: Stay informed about changes to DORA regulations and adjust compliance strategies accordingly, focusing on continual gap analysis and investment prioritisation.

In an environment where regulations play an increasing role in determining the direction of cybersecurity strategy, it’s vital that organisations hone their approach to compliance in general. Doing so opens up the prospect of a win-win whereby digital security and resilience are given the emphasis they deserve, and fewer organisations fall victim to serious breaches. What’s almost certain, however, is that at some point in 2025 the first DORA-related enforcement action will be announced. Organisations that prepare now can minimise their chances of making the wrong kind of headlines.

Darren Thomson, Field CTO EMEAI at Commvault